MS Removal Tool (Malware)

Over the past few weeks I have had to help six  people with removing the MS removal tool program which restricts computers quite excessively, so I thought I would write up a quick guide on how to remove it from your PC. There are two ways to do this depending on how much you wish to delve into the workings of Windows and if its possible.

MalwareWhat is the MS removal Tool? This is a piece of software that looks genuine to try to entice you to purchase a program to remove viruses and trojans which actually may not be on your PC. Most people think that as it looks like a Microsoft product its genuine but sadly this is not the case.

The simple way to remove it is a follows.


Step 1.

Start your computer up and as the machine is booting begin by pressing F8 before the windows loading screen appears where you will be given the options for various boot modes including ‘Safe mode with networking’.

Using the arrow keys on your keyboard highlight this option and press ENTER.

Step 2.

As your PC starts to load into “Safe Mode” you will notice the screen looks slightly different to standard Windows screen telling you are in safe mode. This mode only runs the minimal amount of programs and services to start windows to allow you to do various functions.

Open your Internet browser and search in google for “Malwarebytes Anti-Malware” and download the free version (direct link here ) – once downloaded amd run it should ask you to update the database to the current version. Once the update is complete run the scan – the quick scan is sufficient enough to remove the MS Removal Tool. Once the scan is complete or if you run this program already you will probably only find 1 or 2 infected items which you need to remove. Once removed the program will ask you to reboot and this should remove the program and allow you full access back to your pc.

If for some reason you cant view the internet you will need to check the following settings (images are shown for Internet Explorer).

Start IE navigate to the Tools menu where you will find Internet Options and follow the diagram instructions (Click the image to enlarge it)

Hopefully this will restore your internet activity and allow you to browse as normal. Once the scan and this have been done reboot your PC and all should be well and has been on the peoples computers I have worked on with the exception of one. This PC was a little harder to remove the program and invloved editing the Windows registry which alot of people are frightened to do incase of making an error, if the above doesnt work and you would like the other method please contact me.

Related Posts Plugin for WordPress, Blogger...
Both comments and pings are currently closed.

32 Responses to “MS Removal Tool (Malware)”

  1. Gerard Capra says:

    Thank you for your help removing "MS removal tool". It was making life miserable. My anti-virus software was deactivated and even after using the virus scan in safe mode, the virus wasn't found.

  2. Jake says:

    This thing attakced my computer less tan an hour ago and i kept getting the MS removal messages so i went on my laptop to see what i could do. While trying to shut down my computer to reduce loss of memory i accidentally disabled my wireless connection. While in safe mode I went to the control panel to try and enabe it again and it worked at first but then it went back to disabled and each time i tried to enable it it failed. Not sure what do now although i was thinking i could just connect an ethernet cable from my modem to my computer in order to get internet back.

    • BBandB says:

      Unless you can get into safe mode to use the program suggested the only way would be to edit the registry of the laptop if you would like the guide how to do it let me know.

  3. alan c says:

    wnen in safe mode with the task window opened I do not see any odd symbols that indicate the infections . what signs should i look for in the task bar. most of the processes have 5-7 letters nothing standing out as an red flag – what am i missing? thanks

    • BBandB says:

      When in safe mode if you download Malwarebytes and run it it will root out the infections – as you are in safe mode the program will not be running as Safe mode is a minimal set of processes to allow you to make changes.

  4. alan c says:

    Thank you very much. I will download malware and post back with results..

    • BBandB says:

      If that doesnt work the other fix is a bit more in depth and requires registry value removal. Let me know how you get on and if need be will do the other guide.

      • alan c says:

        Thank you very much. I followed your directions and downloaded malwarebytes,and BAM that bad boy was gone!So far so good.Should I check on registry removal? I was using Avira antivir Free program. Should I buy the updraded Malwarebytes? Thanks again. Al

        • BBandB says:

          I'm glad you got this sorted and the guide helped you. Malwarebytes program checks the registry as well Alan so no need to do that way also. If you are happy with the program by all means support the company but the Free program is adequate for non commercial use.

  5. Don Johnson says:

    BBandB – Thankyou! Thankyou! Thankyou!

    Your info' was just what I needed to stop me going mad!

    My Panda antivirus software did not find the MSRemoval Tool files/infections when I ran it in Safe Mode, and it wouldn't start at all in Normal mode – and lots of other progs were inhibited also.

    You've added a couple of years to my life!

    • BBandB says:

      I am glad the guide worked for you and that it helped you remove the Malware – thank you also for commenting on the post and giving feedback.

  6. Tash says:

    Hi, I've gone through these steps and removed it using Malwarebytes – but now internet explorer won't open at all… I can seem to access everything else on my computer, just not IE! When i ran MWB I had 11 things it found though – so not sure if the problem now is related to the MS Removal virus or something else? Is there anything you can suggest?

    • BBandB says:

      Does IE not start at all or can you just not view the internet? – it maybe that one of the other infections damaged a IE file. If you let me know exactly what happens when you start IE I will sort you the fix if possible.

  7. lewisb says:

    Last night, before I read your instructions, I did the same steps except I was in safe mode instead of safe mode with networking. I finally found my malwarebytes program and ran a full scan overnight with 16 objects found infected. After cleaning those with success (so it said) I rebooted and the ms removal tool was back again. I don't know alot about computers, but, could it be because of me being in safe mode instead of safe mode with networking? Any suggestions would be appreciated!!

    • BBandB says:

      No it wouldnt be that – but try again with networking options and make sure you update Malwarebytes before running it. It may be that you need to remove keys from the registry – I will do the registry removal guide tommorrow and email you the link

      • lewisb says:

        The problem is that I cannot connect to VZAccess Manager to get the updates. It has internet access blocked as well.

        • BBandB says:

          Hi Lewis

          Have you checked the options in the last part of my guide in internet options to check if some of the check boxes are ticked etc?

  8. alan c says:

    I followed your instructions for ms tool removal using Malwarelbytesand that seemed to fix the problem, but now I have XP SECUCRITY ALERT blocking I.E. When I try safe mode w/networking the XP ALERT does not allow me to download or run Malwarebytes or any other program.I had to click on IE at least 25 times get online. I am being blocked from running any program scans. Any suggestions. Thanks Al

    • BBandB says:

      Disconnect your internet from the infected PC and once it has started try the following. Open Taks Manager (CTRL – ALT – DEL) and search in the processes Tab for XPsecuritycenter.exe – click end task. Disconnect your internet and run Malwarebytes again and see if it picks up any infection. This program will self install itself again if its not removed – it may be an idea to delete any temporary internet files and do a disk clean up.

      There are a number of files that may be causing the infection so if this doesnt work please let me know.

  9. alan c says:

    Thanks for your reply. No luck with the options above,

    I am on the infected PC in safe mode now. I dont see any XPsecurity listed in task bar and when I try yo run the Mal bytes download,the XP threat blocks it. I dont have a 2nd PC. Are there any steps to take from another PC, maybe from the local library?

  10. alan c says:

    I am running windows XP. I just downloaded a new malbytes and when I hit run, the XP VIRUS blocked it from running. I dont feel comfortable using the Combofix.What do you mean by command prompt? Thank you.

  11. alan c says:

    I also noticed in the taskbar I see a number of names, 6 for svchost.exe on user name local service,network service and system services.

    • BBandB says:

      svchost.exe is a critical windows process so they are fine – command prompt is found by clicking start, then the RUN option , in the box type CMD and press return , a black box will appear which is your command prompt.

  12. Hazel1558 says:

    Thank you so much for the above.
    Ms Tool Removal is such a nasty program as it disables everything on your computer. If you follow the above steps it does work. Thank god for Safe mode with networking, Malwarebytes Anti-Malware & of course 😀

  13. DebraZebra says:

    My husband was logged in under his user name when MS Tool Removal infected our shared computer. It has blocked web and e-mail and Word. I can log in with my user name and don't seem to be affected so I have downloaded and run the Malwarebytes Anti-Malware. First time (not in safe mode, cursor wouldn't move to choose it) it found one infected file which I deleted. Hubbie's 'half' of the computer still has MS Tool Removal though. Since found out how to run in safe mode (via msconfig and changing the boot choice), and run the anti-malware again. Nothing found this time. MS Tool Removal still there. Have tried a few more times, including copying the anti-malware icon to husbands desk top in safe mode and running it from there. Nothing found each time, but it has not got rid of it. Help please!! May need to edit the Windows registry and don't know how! Thanks for help so far, hope you can solve the problem.

    • bestbitsandbobs says:

      Hi DebraZebra, I have created a guide for the registry removal side here… – please let me know if it helps (I have also emailed you the link)

      • DebraZebra says:

        Thanks for the advice. Have done a dry run in all 3 accounts and found what I suspect is the infected item just in my husbands HKEY_CURRENT_USER folder. It's called jK01803LkNkF01803 and is in C:\Docs & Settings\AllUsers\Application Data\. I haven't deleted it yet, but followed the next steps. When I searched for this file first i didn't include hidden files and folders, and the search only came up with in C:\Windows\Prefetch 109KB PF File. I assume this is what gets the virus up and running before anything else. Then I widened the search to include hidden files and also got a file folder with the exact name and location as in HKEY_CURRENT_USER, plus a 1KB file and a 387KB application both with the same location but with the jKetc string after it as well. Please could you confirm if I need to delete all of these? Your instructions are very clear and easy to use, so far so good, but I am taking it in easy stages! Many thanks.

        • bestbitsandbobs says:

          Hi DebraZebra – I would delete them all and the registry entry – let me know the results.

          • DebraZebra says:

            Success!!! Thank you so much for your help. Just fyi when I re-ran the malware scan it found an infected item in the recycling, presumably one of the items I had deleted. Removed that thru the malware, but do I also need to delete the deleted as well. How do i do this? Will run full virus scan overnight, but am confident that the registry removal method has worked. If only the people who create these things put their talents to better use like you do. Thanks again.

          • bestbitsandbobs says:

            I'm glad you found the guide helpful and easy to follow. I would say if Malware bytes removed the item it should be deleted.

Get Adobe Flash player